Securing Industrial IoT: There is no simple answer

There are lots of terms thrown around these days, such as: Internet of Things (IoT), Industrial Controls Systems (ICS), Operational Technology (OT). What this means is that there are billions of interconnected consumer devices and industrial systems, not running a traditional computer operating system. This number dwarfs the number of traditional computer systems and it is predicted to grow to tens of billions of connected devices by 2020. The Industrial IoT could be defined as the subset of endpoints on our enterprise networks, which include building automation, industrial controls, sensors and embedded systems. Having spent nearly two decades in a manufacturing environment, I feel confident in saying that the number of Industrial IoT devices already outnumber traditional computer systems on our enterprise networks.

Automation technologies and machine to machine (M2M) communications hold great promise for streamlining processes, improving quality and efficiency in industry. The benefits of these systems should be recognized, but so should the risk they bring to the table.

We have created a category called Industrial IoT and dumped all the non-traditional systems into this box, yet these Industrial IoT devices don’t follow a single standard. These are systems, generally purchased and managed by non-IT teams to perform specific tasks. Some of these systems will be configurable, others will not. Some offer remote management, others don’t. Some come with default passwords, others require no authentication at all. They often utilize OT rather than IT protocols, which are less well understood by IT personnel. In addition, because of the lack of central ownership, there is rarely a complete inventory of these systems. This means that these systems are both at risk, and pose a risk to other IT systems because they do not follow traditional IT standards for management and security.

If the goal is to better secure these systems, the first step is to build a complete inventory of these assets. The goal should be to centralize this information and keep it up to date. This is an improvement over the poorly maintained spreadsheets that many companies utilize today, which vary from factory to factory. With a complete inventory of these systems, risk management requires insight into their configuration and posture. Because they are non-standard, it will require additional effort both to assess their exposure, and to define standards for how these assets should be configured. It will require executive sponsorship to devote the resources necessary to accomplish this with a reasonable timeline. This is the type of project that is very difficult to justify and drive from the bottom-up. Business leaders need to be made to see the value in the overall effort to develop standards and manage OT risk. In my experience, third party risk assessments of your manufacturing environment should help to communicate the risks to executives.

Now that you have a reliable inventory and assessment of where these systems are vulnerable, just how do you bring them in line with standards? How do you change from the default password and manage passwords on disparate systems in multiple business units? How do you perform change management with non-traditional IT systems? How do you track changes, and keep people from making unauthorized changes? Logging and auditing these systems may not be possible due to their limited system resources.

Non-traditional systems may often have vulnerabilities that cannot simply be patched. They may be running older and unsupported operating systems, or be designed to be open to M2M communications. They may require manual updates to firmware. They may be vulnerable to denial of service attacks, or even up the health and safety of employees at risk if they become compromised. These non-compliant systems may pose a risk and in some cases used as a platform to attack traditional IT systems. They may utilize wired or wireless connectivity. In some cases, they may need to communicate outbound to the Internet, to share data or for management and software updates.

Many of these systems were designed to serve limited functions. If they cannot all be managed, given that replacing them with more capable systems may be expensive and in many cases not possible, does this mean that you shift the security and management controls to the network? Today, the best practice is to isolate these systems on your network, but it doesn’t seem that simple network segmentation is going to be the best solution in the future, as these systems become more ubiquitous and integral to business operations.

Since it is not feasible, nor desirable, to entirely isolate these systems from the IT network, they will be attacked. How do you gain visibility to these attacks? If you see strange traffic or get an IDS alert, how do you track it down when Industrial IoT systems are involved? How do you correlate alerts across IT and OT, to accurately view the movement and actions of an adversary on your network? These are the challenges that we face today, and in the future as these systems grow in number and attacks shift from traditional IT computer systems to OT/ICS systems.

Without being able to have an accurate inventory, assess posture and vulnerabilities, account for threats and properly value these assets, calculating risk is a daunting task. Isn’t it reasonable to expect that in the future, the bulk of our risk resides with the bulk of our assets?

In the enterprise, today, our tools are limited. We find ourselves performing manual inventories. We have limited resources, so we can’t fully assess the posture and vulnerabilities and put the automation and management in place that we recognize will be required. We also cannot wait for vendors to build in proper remote management and authentication in every Industrial IoT system, down to the level of individual controllers and sensors. One thing that is for certain, is that we can start to converge IT and OT in the enterprise, so our approach to security and risk management is uniform and consistent. This way we can include OT in our budget and make it the priority it should be, with upper management support and a long-term roadmap.

I cannot predict the future with much reliability, however it seems evident that there are no simple solutions that we can implement ourselves. We need to partner with innovative vendors to solve these tremendous and important problems. This is a huge opportunity in the security vendor space to develop innovative solutions that help us move beyond enumerating our problems, to solving them. This may require change in the very architecture of networks and will certainly require a shift in our thinking.

The article was written by Dr. John Johnson, CEO and Founder of Aligned Security. He is a founding member of the Security Advisor Alliance (501c.3), a member of SC Media Editorial Board, and serves on advisory boards for innovative security startups. He spent 17 years as security architect for a Fortune 100 global manufacturing company, where he managed infrastructure and developed strategy and secure architecture solutions for protecting a global corporate network, endpoints, industrial systems and the supply chain. Dr. Johnson was previously network security manager for the Theoretical Division at Los Alamos National Laboratory, and an experimental staff physicist developing radiation systems for nuclear remediation and non-proliferation. Dr. Johnson also develops and teaches graduate cybersecurity courses and helped develop the CISO executive certificate program with University of Chicago, Booth School of Management. He is a frequent speaker at industry conferences and serves as program committee member for RSA Conference and Black Hat. Over his career, he has served in leadership roles in technical and professional societies, including IEEE, InfraGard and (ISC)2. Dr. Johnson has received various awards in recognition of his contribution to the profession, and was runner up for 2014 Chicago CISO of the Year.